Skip to content
Snippets Groups Projects
Commit 59917050 authored by Sonia Zorba's avatar Sonia Zorba
Browse files

Added check for ownerId on file download

parent bf88af49
No related branches found
No related tags found
No related merge requests found
Pipeline #840 passed
......@@ -8,6 +8,7 @@ public class FileInfo {
private boolean isPublic;
private List<String> groupRead;
private List<String> groupWrite;
private String ownerId;
private boolean asyncTrans;
public String getOsRelPath() {
......@@ -42,6 +43,14 @@ public class FileInfo {
this.groupWrite = groupWrite;
}
public String getOwnerId() {
return ownerId;
}
public void setOwnerId(String ownerId) {
this.ownerId = ownerId;
}
public boolean isAsyncTrans() {
return asyncTrans;
}
......
......@@ -64,10 +64,18 @@ public class GetFileController {
}
private boolean privateButDownloadable(FileInfo fileInfo) {
String token = ((TokenPrincipal) request.getUserPrincipal()).getToken();
TokenPrincipal principal = (TokenPrincipal) request.getUserPrincipal();
String token = principal.getToken();
if (token == null) {
return false;
}
if (principal.getName().equals(fileInfo.getOwnerId())) {
return true;
}
// TODO: configure cache
if (fileInfo.getGroupRead() == null) {
return false;
......
......@@ -25,7 +25,7 @@ public class FileDAO {
public Optional<FileInfo> getFileInfo(String virtualPath) {
String sql = "select os_path, is_public, group_read, group_write, async_trans from\n"
String sql = "select os_path, is_public, group_read, group_write, owner_id, async_trans from\n"
+ "node n join node_path p on n.node_id = p.node_id\n"
+ "and vos_path = ?";
......@@ -40,6 +40,7 @@ public class FileDAO {
fi.setIsPublic(rs.getBoolean("is_public"));
fi.setGroupRead(toList(rs.getArray("group_read")));
fi.setGroupWrite(toList(rs.getArray("group_write")));
fi.setOwnerId(rs.getString("owner_id"));
fi.setAsyncTrans(rs.getBoolean("async_trans"));
return fi;
}
......
......@@ -130,4 +130,36 @@ public class GetFileControllerTest {
when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
}
@Test
public void getPrivateFileByOwnerId() throws Exception {
Map<String, Object> claims = new HashMap<>();
claims.put("sub", "123");
when(tokenParser.getClaims(any())).thenReturn(claims);
FileInfo fileInfo = new FileInfo();
fileInfo.setOsRelPath(tempFile.getAbsolutePath());
fileInfo.setOwnerId("123");
when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
mockMvc.perform(get("/path/to/myfile")
.header("Authorization", "Bearer: <token>"))
.andDo(print())
.andExpect(status().isOk());
}
@Test
public void testPrivateFileNullToken() throws Exception {
FileInfo fileInfo = new FileInfo();
when(fileDao.getFileInfo(any())).thenReturn(Optional.of(fileInfo));
mockMvc.perform(get("/path/to/myfile"))
.andDo(print())
.andExpect(status().isUnauthorized());
}
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment